On Thu, Nov 21, 2024 at 8:40 AM Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > On Wed, Nov 20, 2024 at 08:06:07AM -0800, Jeff Xu wrote: > > On Wed, Nov 20, 2024 at 1:42 AM Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > > > On Tue, Nov 19, 2024 at 05:17:00PM -0800, Jeff Xu wrote: > > > > On Tue, Nov 12, 2024 at 11:22 AM Mickaël Salaün <mic@xxxxxxxxxxx> wrote: ... > > > > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > > > > > index cd57053b4a69..8d9ba5600cf2 100644 > > > > > --- a/kernel/auditsc.c > > > > > +++ b/kernel/auditsc.c > > > > > @@ -2662,6 +2662,7 @@ void __audit_bprm(struct linux_binprm *bprm) > > > > > > > > > > context->type = AUDIT_EXECVE; > > > > > context->execve.argc = bprm->argc; > > > > > + context->execve.is_check = bprm->is_check; > > > > > > > > Where is execve.is_check used ? > > > > > > It is used in bprm_execve(), exposed to the audit framework, and > > > potentially used by LSMs. > > > > > bprm_execve() uses bprm->is_check, not the context->execve.is_check. > > Correct, this is only for audit but not used yet. > > Paul, Eric, do you want me to remove this field, leave it, or extend > this patch like this? > > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 8d9ba5600cf2..12cf89fa224a 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1290,6 +1290,8 @@ static void audit_log_execve_info(struct audit_context *context, > } > } while (arg < context->execve.argc); > > + audit_log_format(*ab, " check=%d", context->execve.is_check); > + > /* NOTE: the caller handles the final audit_log_end() call */ > > out: I would prefer to drop the audit changes rather than add a new field to the audit record at this point in time. Once we have a better understanding of how things are actually being deployed by distros, providers, and admins we can make a more reasoned decision on what we should audit with respect to AT_EXECVE_CHECK. Beyond that it looks okay to me from a LSM and audit perspective, so feel free to add my ACK once you've dropped the audit bits. Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> -- paul-moore.com